Module Home Take Quiz
PART 7 OF 7

FinTech Compliance & Risk

Comprehensive coverage of AML/KYC compliance, Account Aggregator framework, data localization, cybersecurity requirements, and operational risk management.

1. AML/KYC Compliance Framework

Anti-Money Laundering (AML) and Know Your Customer (KYC) compliance is fundamental for all FinTech entities operating in India's regulated financial services sector.

1.1 Key Regulations

  • Prevention of Money Laundering Act 2002 (PMLA): Primary AML legislation
  • PMLA Rules 2005: Detailed compliance requirements
  • RBI KYC Master Direction 2016: Customer due diligence norms
  • FATF Recommendations: International AML standards

1.2 KYC Requirements

KYC Type Method Applicable For
Full KYC Physical/Video KYC Full-service accounts
Aadhaar e-KYC OTP/Biometric via UIDAI With customer consent
Video KYC (V-KYC) Live video verification Non-face-to-face onboarding
CKYC Central KYC Registry KYC portability
Minimum KYC Mobile/OTP verification Limited accounts (PPIs, Small accounts)

1.3 Customer Due Diligence (CDD)

  • Basic CDD: Identity verification, address verification
  • Enhanced CDD: For high-risk customers, PEPs, complex transactions
  • Ongoing CDD: Transaction monitoring, periodic review
  • Simplified CDD: For low-risk customers with transaction limits

Video KYC Standards

RBI's V-KYC guidelines require: live video interaction with trained officials, geo-tagging and time-stamping, randomized questioning, verification of original documents shown during video, and secure storage of video records for minimum 8 years.

2. Account Aggregator Framework

The Account Aggregator (AA) framework is India's consent-based data sharing architecture that enables individuals to share their financial data securely across institutions.

2.1 AA Ecosystem Participants

  • Account Aggregator: NBFC-AA licensed by RBI to facilitate data sharing
  • Financial Information Provider (FIP): Entities holding customer data (banks, insurers, MFs)
  • Financial Information User (FIU): Entities seeking data with customer consent (lenders, wealth managers)
  • Customer: Individual controlling their data through consent

2.2 How AA Works

  1. Customer links accounts with AA
  2. FIU requests data through AA
  3. Customer provides consent via AA
  4. AA fetches data from FIP
  5. Encrypted data shared with FIU
  6. FIU uses data for specified purpose only

2.3 Key Principles

  • Consent-Based: Customer controls all data sharing
  • Data Blind: AA cannot view/store actual data
  • Purpose Limitation: Data used only for stated purpose
  • Revocability: Customer can revoke consent anytime
  • Interoperability: Works across all AAs and financial institutions

AA Use Cases in FinTech

Lending: Access bank statements, income data for credit assessment without physical documents

Wealth Management: Aggregate portfolio data across investments for holistic advice

Insurance: Access health records for faster underwriting

Personal Finance: Consolidated view of all financial accounts

3. Data Localization Requirements

3.1 RBI Payment Data Localization

RBI's April 2018 circular mandates that all payment data must be stored in India:

  • Full end-to-end transaction details
  • Information collected for processing
  • Applies to all payment system operators
  • Foreign leg of transaction can be shared abroad
  • Must be stored only in India (not "also in India")

3.2 DPDPA Cross-Border Data Transfer

Under DPDPA 2023:

  • Personal data can be transferred to notified countries
  • Government may restrict transfers to certain countries
  • Sectoral requirements (RBI, etc.) continue to apply

3.3 Compliance Approach

Data Type Requirement
Payment data Must be stored only in India
Customer personal data DPDPA compliance, sectoral rules
Insurance data IRDAI data storage guidelines
Securities data SEBI guidelines, data localization norms

4. Cybersecurity Framework

4.1 RBI Cybersecurity Framework

RBI has issued comprehensive cybersecurity guidelines for banks and NBFCs:

  • Board Oversight: Board-approved cybersecurity policy
  • CISO: Appointment of Chief Information Security Officer
  • SOC: Security Operations Centre requirement
  • Incident Reporting: Within 6 hours of detection
  • Cyber Crisis Management: Plan and testing requirements

4.2 Key Security Controls

  • Multi-factor authentication
  • Encryption (at rest and in transit)
  • Network segmentation
  • Regular vulnerability assessment (VAPT)
  • Privileged access management
  • Security monitoring and logging

4.3 PCI-DSS Compliance

For payment handling entities:

  • Payment Card Industry Data Security Standard
  • Mandatory for card data handling
  • Annual certification required
  • 12 requirement categories covering security controls

Incident Reporting

All cyber security incidents must be reported to CERT-In within 6 hours of detection. For RBI-regulated entities, additional reporting to RBI is required. Non-compliance can result in regulatory action.

5. Operational Risk Management

5.1 RBI Operational Risk Framework

NBFCs and banks must maintain operational risk management frameworks covering:

  • Risk identification and assessment
  • Control and mitigation measures
  • Business continuity planning
  • Disaster recovery arrangements
  • Outsourcing risk management

5.2 Technology Risk Management

Risk Area Key Controls
System Availability 99.5% uptime SLA, DR site, load balancing
Data Integrity Input validation, checksums, audit trails
Third-Party Risk Vendor assessment, SLA monitoring
Change Management Testing, approval, rollback procedures
Access Control Role-based access, segregation of duties

5.3 Business Continuity Planning

  • BCP document covering all critical processes
  • Maximum Tolerable Downtime (MTD) defined
  • Recovery Point Objective (RPO) and Recovery Time Objective (RTO)
  • Annual BCP testing and drills
  • Communication plan during crisis

6. Reporting and Compliance Requirements

6.1 Regulatory Returns

  • NBFC: Quarterly returns to RBI (NBS-7, ALM statements)
  • Payment Aggregators: Monthly returns on transaction volumes
  • PPIs: Quarterly returns on outstanding balances
  • AML: STRs, CTRs to FIU-IND

6.2 Audit Requirements

  • Statutory audit (annual)
  • Internal audit (continuous)
  • Information Systems audit
  • RBI inspection (as applicable)
  • Concurrent audit for specific activities

6.3 Fair Practices Code

All lending entities must adopt Fair Practices Code covering:

  • Transparent communication of terms
  • All-in-cost disclosure
  • Prohibition of excessive collection practices
  • Grievance redressal mechanism
  • Non-discrimination in lending

7. Comprehensive Compliance Checklist

  1. Licensing: Obtain appropriate licenses (NBFC/PA/PPI as applicable)
  2. KYC Framework: Implement RBI-compliant KYC processes
  3. AML Program: Establish AML compliance with PMLA requirements
  4. Data Localization: Store payment data only in India
  5. Cybersecurity: Implement RBI cybersecurity framework
  6. Grievance Redressal: Establish customer complaint mechanism
  7. Fair Practices: Adopt and implement Fair Practices Code
  8. Reporting: File all regulatory returns on time
  9. Audit: Complete statutory and IS audits
  10. Business Continuity: Maintain and test BCP
  11. Third-Party Management: Due diligence on all partners/vendors
  12. Documentation: Maintain all policies, procedures, records